snapshot: Don't cause invalid reads

1. Pass clip rectangles to gtk_snapshot_push_state() that point into
   the state array.
2. g_array_set_size(len+1) the state array
3. Make that function realloc() the state array.
4. The clip rectangle now points into invalid memory
5. Use the clip array

This patch fixes things by moving step 5 to before step 2.

diff --git a/gtk/gtksnapshot.c b/gtk/gtksnapshot.c
index c383364275f380df941dde07162244dadd28266d..ad7b2d358a792a9a838e6942915747ee0c24b8df 100644 (file)
--- a/gtk/gtksnapshot.c
+++ b/gtk/gtksnapshot.c
@@ -116,24 +116,24 @@ gtk_snapshot_push_state (GtkSnapshot            *snapshot,
                          int                     translate_y,
                          GtkSnapshotCollectFunc  collect_func)
 {
-  GtkSnapshotState *state;
-
-  g_array_set_size (snapshot->state_stack, snapshot->state_stack->len + 1);
-  state = &g_array_index (snapshot->state_stack, GtkSnapshotState, snapshot->state_stack->len - 1);
+  GtkSnapshotState state = { 0, };
 
-  state->name = name;
+  state.name = name;
   if (clip)
     {
-      state->clip = *clip;
-      state->has_clip = TRUE;
+      state.clip = *clip;
+      state.has_clip = TRUE;
     }
-  state->translate_x = translate_x;
-  state->translate_y = translate_y;
-  state->collect_func = collect_func;
-  state->start_node_index = snapshot->nodes->len;
-  state->n_nodes = 0;
 
-  return state;
+  state.translate_x = translate_x;
+  state.translate_y = translate_y;
+  state.collect_func = collect_func;
+  state.start_node_index = snapshot->nodes->len;
+  state.n_nodes = 0;
+
+  g_array_append_val (snapshot->state_stack, state);
+
+  return &g_array_index (snapshot->state_stack, GtkSnapshotState, snapshot->state_stack->len - 1);
 }
 
 static GtkSnapshotState *